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About this Guide 
About Qualys 


About this Guide 


This user guide is intended for application developers who will use the APIs for Container 
Runtime Security (CRS). 


CRS provides runtime visibility and protection for containers. This is achieved by 
instrumenting images with Container Security components that gather functional-level 
behavioral data about the processes running within a container. This behavioral data is 
used by Container Security to visualize process activity. You can create and apply security 
policies that provide custom security controls based on the container’s activity. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 


Accessing the APIs 
Permissions required to use APIs 


Accessing the APIs 


Several features of Container Runtime Security are available through REST APIs. 


Permissions required to use APIs 
- User must have the Container Security (CS) module enabled 


- User must have API ACCESS permission 


Qualys API URLs 


Container Security supports the Qualys API gateway for API requests. 


The Qualys API gateway URL you should use for API requests depends on the Qualys 
platform where your account is located. 


Click here to identify your Qualys platform and get the API Gateway URL 


Authentication for Gateway URLs 


You must authenticate to the Qualys Cloud Platform using Qualys account credentials 
(user name and password) and get the JSON Web Token (JWT) before you can start using 
the Gateway URLs. Use the Qualys Authentication API to get the JWT. 


For example: 


curl -X POST 'https://gateway.qgl.apps.qualys.com/auth' -H 'Content-Type: 
application/x-www-form-urlencoded' --data-urlencode 'username-Value' -- 
data-urlencode 'password-Value' --data-urlencode 'token-true' --data- 
urlencode 'permissions-true' 


where gateway.qg1.apps.qualys.com is the base URL to the Qualys API server where your 
account is located. 


- username and password are the credentials of the user account for Container Security 
- token should be true 
- Content-Type should be "application/x-www-form-urlencoded" 


The Authentication API returns a JSON Web Token (JWT) which you can use for 
authentication during Container Security API calls. The token expires in 4 hours. You must 
regenerate the token to continue using the Container Security API. 


Accessing the APIs 
Online API Guide 


Online API Guide 
You can directly access an online API guide from the following URL 


http://<QualysGatewayURL>/apidocs/csapi/vl.3/runtime 


For example, if your account is on US Platform 1 


https://gateway.qgl.apps.qualys.com/apidocs/csapi/vl.3/runtime 


Configurations 


Get all configurations in your account 


Configurations 

Here is the list of the APIs we currently support for instrumentation configurations: 
API Objective Operator API Path 

Get all configurations in your GET /csapi/v1.3/runtime/configs 

account 

Get details for a specific GET /csapi/v1.3/runtime/configs/{configId} 
configuration 

Create a new configuration POST /csapi/v1.3/runtime/configs 

Update a configuration PUT /csapi/v1.3/runtime/configs/{configld} 


Samples for various operations on configurations: 


Get all configurations in your account 
Get details for a specific configuration 
Create a configuration 
Update a configuration 


Get all configurations in your account 


/csapi/v1.3/runtime/configs 
[GET] 
API request: 


curl 
header 


Response: 
[ 


nig" : 
"created": 
"updated": 
"bpolrxeyld'"i 
"logMode": 


"isDefaultConfig": 
"default config" 


"name": 


"igr : 
"created": 
"updated": 
"policyId": 
"logMode": 


"isDefaultConfig": 


Bearer <token>' 


"5e18c86e4e08ce0001368941", 


"2020-01-10T18:54:38.822", 
"2020-01-10T18:54:38.822", 
"5e18c86e4e08ce0001368940", 
"POLICY MONITOR DENY", 

true, 


"S5elae506b06e090001bf8741", 


"2020-01-10T18:54:38.822", 
"2020-06-04T13:03:53.6762", 
"5e2587£d6bee780001c5625e", 
"POLICY MONITOR DENY", 
false, 


'https://gateway.qgl.apps.qualys.com/csapi/vi1.3/runtime/configs' -- 
'Authorization: 


Configurations 
Get details for a specific configuration 


Get details for a specific configuration 
/csapi/v1.3/runtime/configs/{configId} 


[GET] 

Input Parameters: 

Parameter Description 

configld (Required) Specify the ID of the configuration you want 


to get details on. 


API request: 


curl --location --request GET 
'https://gateway.qgl.apps.qualys.com/csapi/v1.3/runtime/configs/5e284a064 
b80630001437f4e' N 

--header 'Authorization: Bearer <token>' 


Response: 


( 
"id": "5e284a064b80630001437f4e", 
"created": "2020-06-08T10:03:43.5072", 
"updated": "2020-06-08T10:07:44.2492", 
"policyId": "5e18c86e4e08ce0001368940", 


"logMode": "ALL", 
"isDefaultConfig": false, 
"name": "example configuration" 


Create a configuration 


/csapi/v1.3/runtime/configs 


[POST] 

Input Parameters: 

Parameter Description 

name Specify a name for the new configuration. Enter a 


maximum of 256 characters. 


policyld (Required) Specify the ID of the security policy for this 
container. Sample value: 59c2dc5dc071870001548489 
A valid policy ID must be provided, and the specified 
policy must be present for the user. 


Configurations 
Create a configuration 


logMode (Required) For API v1.3, specify logMode with a string 
value to indicate which policy hits (rule matches) get 
logged. Possible values: NONE, POLICY_MONITOR, 
POLICY_DENY, POLICY_MONITOR_DENY, 
POLICY_ALLOW, POLICY_ALL, BEHAVIOR, ALL. Values 
are case sensitive. 


For API v1.2, specify LogMode with the numeric value. 
Possible values: 

None: 0 

Policy Monitor: 1 

Policy Deny: 2 

Policy Monitor Deny: 3 

Policy Allow: 4 


Policy All: 7 

Behavior: 8 

All: 15 
isDefaultConfig (Required) For API v1.3, use isDefaultConfig. For API 
Default v1.2, use Default. Set to false by default. Specify true to 


make this the default configuration for group. 


API request: 


curl --location --request POST 
"https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/configs' \ 
--header ‘Authorization: Bearer <token>' 

--header 'Content-Type: text/plain' \ 

--data-raw '{ 


"name": "example configuration", 
"policyId": "59c2dc5dc07£870001548489", 
"logMode": "POLICY MONITOR", 


"isDefaultConfig": false 
) Lu 


Response: 


( 
"id": "5edeOcfff4250100001905d58", 
"created": "2020-06-08T10:03:43.5072", 
"updated": "2020-06-08T10:03:43.5072", 
"policyId": "59c2dc5dc07£870001548489", 
"LlogMode": "POLICY MONITOR", 
"isDefaultConfig": false, 
"name": "example configuration" 


Configurations 
Update a configuration 


Update a configuration 


/csapi/v1.3/runtime/configs/{configId} 


[PUT] 
Input Parameters: 
Parameter Description 
configld (Required) The ID of the configuration to update. 
name Specify a name for the configuration. Enter a maximum 
of 256 characters. 
policyld Required) Specify the ID of the security policy for this 
container. Sample value: 59c2dc5dc07f870001548489 
A valid policy ID must be provided, and the specified 
policy must be present for the user. 
logMode Required) For API v1.3, specify logMode with a string 
value to indicate which policy hits (rule matches) get 
logged. Possible values: NONE, POLICY. MONITOR, 
POLICY DENY, POLICY MONITOR DENY, 
POLICY ALLOW, POLICY ALL, BEHAVIOR, ALL. Values 
are case sensitive. 
For API v1.2, specify LogMode with the numeric value. 
Possible values: 
None: 0 
Policy Monitor: 1 
Policy Deny: 2 
Policy Monitor Deny: 3 
Policy Allow: 4 
Policy All: 7 
Behavior: 8 
All: 15 
isDefaultConfig (Required) For API v1.3, use isDefaultConfig. For API 
Default v1.2, use Default. Set to false by default. Specify true to 


make this the default configuration for group. 


API request: 


curl --location --request PUT 
'https://gateway.qgl.apps.qualys.com/csapi/v1.3/runtime/configs/5edeOcfff 
42b100001905d58!' \ 

--header ‘Authorization: Bearer <token>'\ 

--header 'Content-Type: text/plain' \ 

--data-raw '{ 


"name": "example configuration", 
"policyId": "59c2dc5dc07£870001548489", 
"logMode": "ALL", 


"isDefaultConfig": false, 
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Configurations 
Update a configuration 


Response: 


{ 
"id": "SedeOcf££42b100001905d58", 
"created": "2020-06-08T10:03:43.5072", 
"updated": "2020-06-08T10:07:44.2492", 
"policyId": "5e18c86e4e08ce0001368940", 
"logMode": "ALL", 
"isDefaultConfig": false, 
"name": "example configuration" 
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Containers 
Get runtime details of a container 


Containers 


Here is the list of the APIs we currently support for containers: 


API Objective Operator API Path 

Get runtime details of GET /csapi/v1.3/runtime/containers/(containerSha 
container 

Get runtime profile for GET /csapi/v1.3/runtime/containers/{containerSha}/ru 
container ntimeprofile 

Build a security policy basedon POST /csapi/v1.3/runtime/containers/[containerSha]/te 
a container's behavior mplate 

Assign instrumentation POST /csapi/v1.3/runtime/containers/[containerSha]/co 
configuration to container nfigs/[configld) 


Samples for various operations on containers: 


Get runtime details of a container 

Get runtime profile for a container 

Build a security policy based on a container's behavior 
Assign a configuration to a container 


Get runtime details of a container 


/csapi/v1.3/runtime/containers/{containerSha} 


[GET] 

Input Parameters: 

Parameter Description 

containerSha={value} (Required) Specify the SHA value of the container for 


which you want to get runtime details. 


API request: 


curl --location --request GET 
"https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/containers/7113e5 
aa32875169d41d168a871ca17a510663a6c0ea0e3a9ba03d0eea00cff6' \ 

--header ‘Authorization: Bearer <token>' 


Response: 
{ 


"containerSha": 
"7113e5aa32875169d41d168a871cal17a510663a6c0ea0e3a9ba03d0eea00cff6", 
"configId": "5e7df4f145089300001cde5cb" 
] 
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Containers 
Get runtime profile for a container 


Get runtime profile for a container 
/csapi/v1.3/runtime/containers/{containerSha}/runtimeprofile 
[GET] 


Input Parameters: 


Parameter Description 


containerSha-(value) (Required) Specify the SHA value of the container for 
which you want to get the runtime profile. 


API request: 


curl --location --request GET 
"https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/containers/7113e5 
aa328751698d41d168a871ca17a510663a6c0ea0e3a9ba03d0eea00cff6/runtimeprofile 
UN 


--header 'Authorization: Bearer <token>' 


Response: 
{ 


"fobes's J 
"/etc/ld.so.cache", 
"/etc/resolv.conf", 
"/lib/x86 64-linux-gnu/libacl.so.1", 
"/lib/x86 64-linux-gnu/libacl.so.1.1.0", 
"/lib/x86 64-linux-gnu/libattr.so.1", 
"/lib/x86 64-linux-gnu/libattr.so.1.1.0", 
"/lib/x86 64-linux-gnu/libc-2.19.so", 
"/lib/x86 64-linux-gnu/libc.so.6", 
"/lib/x86 64-linux-gnu/libdl-2.19.so", 
"/lib/x86 64-linux-gnu/libdl.so.2", 
"/lib/x86 64-linux-gnu/libpcre.so.3", 
"/lib/x86 64-linux-gnu/libpcre.so.3.13.1", 
"/lib/x86 64-linux-gnu/libpthread-2.19.so", 
"/lib/x86 64-linux-gnu/libpthread.so.0", 
"/lib/x86 64-linux-gnu/libselinux.so.1" 


Jy 

"programs": [ 
"/bin/cat", 
"/bin/ls", 
"/bin/sh" 

]:; 

"ports": null, 

"ips": null 
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Containers 
Build a security policy based on a container’s behavior 


Build a security policy based on a container’s behavior 
/csapi/v1.3/runtime/containers/[containerSha]/template 
[POST] 


Important - The container you specify must have Behavior logs present in order to 
successfully create a template policy based on the container's behavior. 


Input Parameters: 


Parameter Description 


containerSha (Required) Specify the SHA value of the container for 
which you want to create a new custom security policy 
based on the recorded activities of the specified 
container. 


API request: 


curl --location --request POST 
'https://gateway.qgl.apps.qualys.com/csapi/v1.3/runtime/containers/7113e5 
aa32875169d41d168a871ca17a510663a6c0ea0e3a9ba03d0eea00cff6/template' \ 
--header 'Authorization: Bearer <token>' 


Response: 


( 
"policyId": "5ede15a34b23720001a75560" 


) 


Assign a configuration to a container 
/csapi/v1.3/runtime/containers/[containerSha|/configs/[configld) 
[POST] 


Input Parameters: 


Parameter Description 


containerSha (Required) Specify the SHA value of the container that 
you're assigning the configuration to. 


configld (Required) Specify the ID of the configuration you want 
to assign to the container. 


API request: 


curl --location --request POST 
'https://gateway.qgl.apps.qualys.com/csapi/v1.3/runtime/containers/7113e5 
aa32875169d41d168a871ca17a510663a6c0ea0e3a9ba03d0eea00cff6/configs/5e7df4 
£14b89300001cde5cb' \ 

--header ‘Authorization: Bearer <token>' 
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Containers 
Assign a configuration to a container 


Response: 


response code 200 
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Instrument image with Qualys instrumentation 


Images 

Here is the list of the APIs we currently support for images: 

API Objective Operator API Path 

Instrument image with Qualys POST /csapi/v1.1/images/[imageld]/instrument 
instrumentation 

Get CRS configuration of animage GET /csapi/v1.3/runtime/images/{imageSha}/agentc 
with instrumentation onfig 

Get configuration ID of an GET /csapi/v1.3/runtime/images/{imageSha}/config 
instrumented image 

Assign instrumentation POST /csapi/v1.3/runtime/images/{imageSha}/configs 
configuration to an image /{configld} 


Samples for various operations on images: 


Instrument image with Qualys instrumentation 

Get CRS configuration of an image with instrumentation 
Get configuration ID for instrumented image 

Assign configuration to an image 


Instrument image with Qualys instrumentation 


Once the instrumenter service is up and running in your environment, you can 
instrument your images. Note that you can only instrument images that have been 
scanned by a registry scan job (registry sensor). For this API endpoint, you'll use the 
Container Security API. To learn more about using Container Security APIs, please refer to 
the Container Security API User Guide. 


/csapi/v1.1/images/{imageld}/instrument 
POST] 


nput Parameters: 


Parameter Description 

imageld (Required) Specify the ID or SHA value of the image that 
you want to instrument. 

pullRegistryUuid The UUID of the registry where the image is located. 

pullRepository Name of the repository where the image is located. 

pullTag Tag associated with the image. 


pushRegistryUuid The UUID of the registry where you want to put the 
instrumented image. 
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Images 
Get CRS configuration of an image with instrumentation 


pushRepository Name of the repository where you want to put the 
instrumented image. 
pushTag Tag to be associated with the instrumented image. 


API request: 


curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
text/plain' --header 'Authorization: Basic VVNFUk5BTUUGUEFTUI1dPUkOQ-' -d '( 
\ "imageId": "b5e5ffb5cdea", \ "pullRegistryUuid": "44a38be9-5eaa-4062- 


9ee3-5c60c50b430f", \ "pullRepository": "centos", \ "pullTag": "6", \ 
"pushRegistryUuid": "44a38be9-5eaa-4062-9ee3-5c60c50b430f", \ 
"pushRepository": "centos", \ "pushTag": "6-1.2" \ }! 


"http: //qualysapi.qualys.com/csapi/vl.1/images/b5e5ffb5cdea/instrument' 


Response: 


response code 200 


Get CRS configuration of an image with instrumentation 


/csapi/v1.3/runtime/images/{imageSha}/agentconfig 


[GET] 


Use this API to return the compiled policy for a base image that has instrumentation 


added in. 


Input Parameters: 


Parameter Description 

imageSha Required) Specify the SHA value of the image for which 
you want to get the CRS agent configuration. 

raw Default value is false. Specify true to get the response 


format output in raw format. 


API request: 


curl --location --request GET 
"https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/images/d6c9104258 
01a703530b92£943575b8ea9daa520f77£96e891993Ff1549a27073/agentconfig' \ 
--header ‘Authorization: Bearer <token>' 


Response: 
"0,8,\n--- 


Nod; dsl vks ply daly ly EE A A E 1 ply Lp lg ds yl ly Lele yg pl dk 
piggy Lb; lpb lly ae lle reat ee a el a ea el a ea As ks 
Jo dcr eus Ap Th ls pele Me pL dy leo MS leeds ers cea ei dep ze ed ool pela de le dedu durare 
piggy Ty Adagsdly dls te bg dag be a hy De ee he dee ee ee he dea lees 
doge gdh pg dep 15g ow pep db edis Europe, y dst Wy Meds y 
Plplo l;lglg4lygl4l1;1;l,;1,;1,1,1,;l1,;1;1,1,1;I1,1;T1,;1,1,1,1,1,T1,17;1,T1,4l1,51751,1541,; 
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Images 
Get configuration ID for instrumented image 


S a A ey Te ek a ee eae i 19131. 1,4545 PSIVYzl 0.021.155 054 
;drlgli;leElhlDgkd ls de cl go he We Bele eo gl ag gd gk ga eg ke E Lok gil Lael ga y 
Le Le Deg hel pee hele Lee Ge pkg e pbk eee lg de bo az b ede oh eld pol eye oe 
hig clegcky diy NG Lg dpkg bp dy de, ly de ly Tele Dede hcg le ie eel yy pt page ty yl 
eg Lip d 05 L1 7251 pe eg A eg 1: 1 5151531, lapel a Teg leg ec pall dee de pL pols pial ata 
gwd gil eg Age he De de ee de A el EP gle gk oe: ee oe ak gl Lee dg ly 
ele hg ke pre bye dep iy SOU oP bere bata bd xd gd A odor 
Petal Aly yield lle ee i, nes = 

1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 
05.0, 07,07.0,00,:0,0, 0:,:0;,0:0;, 05:07. 0,07 0, 0,0,0, 0, 0,0, 0, 0,:07.0,.0; 0,.0,0,:0,0 
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 
0,:0,0,0,0,.0,0,0,0,0,0,0,0,.0,0,0,0,0,0,0,0,0,0,0,0,0,.0,0,0,0,0,0,0 
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 
0:05:05:0:0:,04.05:07:05:0,:0,:07.0770;0,:07 050,0 5:070705:0 70:005 0,070, 0,0, 0 
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 
0:,:0.:0:5:05:050.,.0:07,:05 07:05:07 0,0,:0 7 0:05 0,0 7:05:0:,05:05:00:;:0450,:0 07:0; 0 
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 
0:07:05 05:0,:0 50:070, 0705:00,:07 020,0 ,:0,70 70::0507-0 5:00:00: 0:50, 0 
,05:0,0,0,0,0,.0,0,0,0,.0,.0,0; 0,0,.0,0,0,0,.0,0,0,0,0,0,0,0;0,0,0,0,0,.0;,0,0; 0, 
01:94:04,047 0,:0,:0, 00, 05,0,0.4:0,0,:9,/0,07 005,05 070,0, 0,:0.-0::0.,0, 05:07. 0:,0.,0:, 05-0,:0,.0 
,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,\n--- 

b ion resolvconf deny,*,3,1,/etc/resolv.conf,,, Nn" 


Get configuration ID for instrumented image 
/csapi/v1.3/runtime/images/{imageSha}/config 
[GET] 


Use this API to return the configuration ID assigned to an instrumented image. Once you 
have the configld, you'll be able to use it in other API calls that require it. 


Input Parameters: 


Parameter Description 


imageSha={value} (Required) Specify the SHA value of an instrumented 
image for which you want to get the configuration ID. 


Sample 
In this sample, we'll get the configld for the specified image. 


API request: 


curl --location --request GET 
"https://gateway.qgl.apps.qualys.com/csapi/vl.3/images/6124ce09d13b8 9e2f2 
6£01f8/config' --header ‘Authorization: Bearer «token»' 

Response: 


"ConfigID": "6124ce09d13089e2f26f01f8" 
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Assign configuration to an image 
/csapi/v1.3/runtime/images/{imageSha}/configs/{co 
[POST] 


Input Parameters: 


Images 
Assign configuration to an image 


nfiglId] 


Parameter Description 


imageSha (Required) Specify the S 


HA value of the image for which 


you want to assign the CRS agent configuration. 


configld (Required) Specify the II 
to assign to the specifie 


D of the configuration you want 
d image. 


API request: 


curl --location --request POST 
'https://gateway.qgl.apps.qualys.com/cs 
01a703530592£943575b8ea9daa520£77£96e89 
89300001cde5cb' \ 

--header 'Authorization: Bearer «token» 


Response: 


response code 200 
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api/vl.3/runtime/images/d6c9104258 
1993£1549a27073/configs/5e7df4f14b 


Events 
Get all events in your account 


Events 

Here is the list of the APIs we currently support for events: 

API Objective Operator API Path 

Get all events GET /csapi/v1.3/runtime/events 


Samples for various operations on events: 


Get all events in your account 


Get all events in your account 
/csapi/v1.3/runtime/events 
[GET] 


There are several options for filtering the events returned in the output. For example, you 
can only get events created after a certain date, before a certain date or within a date 
range. You can also filter the list to get events for a particular container or with a certain 
action type. See all options below. 


Input Parameters: 


Parameter Description 


eventType (Required) Specify the type of logs you want to return. 
Possible values are: STANDARD, BEHAVIOR. 


startTime Specify a starting date/time to get events created after 
this date. Specify the date in the format [ YYYY'-MM'- 
‘DD'T'hh''mm"'ss']. 


endTime Specify an ending date/time to get events created before 
this date. Specify the date in the format [ YYYY'-MM'- 


filter Specify a string value for a search query to filter the list 
of events returned in the output. In the search query 
you can include any value that appears in the response 
body like action, system, systemCall, containerSha, 
uuid, etc. 


For example, filter events with a string like this: 
lter=action:ALLOW AND 
containerSha:dc58cab81c9aledb8cd39d34a8a61942c56d 
c1d4ad27668684be4169d4f0cec5 


ch 


pageNumber The page to be returned. Page numbers start with 1. 


pageSize [he number of records per page to be included in the 


response. When not specified you'll get 10 events. 
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Events 
Get all events in your account 


Sample for returning all events with Standard type 
You'll get up to 10 events in the output by default. 


API request: 


curl --location --request GET 
"https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/events?eventType= 
STANDARD! \ 

--header ‘Authorization: Bearer <token>' 


Response: 
[ 


"customerUuid": "6e0afd12-479c-db0d-822a-793a56bfe353", 

"containerSha": 
"3368ab5ebbccb9d17d45cf62f6fa289edade4af81ef5a94e04a4406a1904175d", 

"eventType": "STANDARD", 

"uuid": "70b0dd00-cde7-11ea-8000-a130bd09cb71", 

"Created": 1595620450000, 

"action": "DENY"; 

"bindAddress": null, 

"bindPort": O0, 

"fileName": "/etc/passwd", 

"openMode": O0, 

"processId": 42, 

"processName": "/usr/bin/cat", 

"seen": 1, 

"system": "amd64", 

"systemCall": 2, 

"systemCallName": "sys open" 


"customerUuid": "6e0afd12-479c-db0d-822a-793a56bfe353", 

"containerSha": 
"3368ab5ebbccb9d17d45cf62f6fa289edade4af81ef5a94e04a4406a1904175d", 

"eventType": "STANDARD", 

"uuid": "70b5b0dd00-cde7-11ea-8000-51fe233a28cb", 

"Created": 1595620450000, 

"action": "DENY", 

"bindAddress": null, 

"bindPort": O0, 


"fileName": "/etc/passwd", 
"openMode": 0, 

"processId": 43, 
"processName": "/usr/bin/cat", 
"seen": 1, 

"system": "amd64", 
"systemCall": 2, 
"systemCallName": "sys open" 


hy 
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Events 
Get all events in your account 


More Samples 
Try these additional samples in your account. 


Sample with Page Number and Page Size specified 
In this sample we've specified the number of events to show in the output. 


API request: 


curl --location --request GET 
'https://gateway.qgl.apps.qualys.com/csapi/v1.3/runtime/events?eventType- 
STANDARD&pageNumber-l&pageSize-5' \ 

--header 'Authorization: Bearer <token>' 


Sample to get events with certain action 


In this sample the filter parameter is used to get events with the ALLOW action. Be sure to 
specify the action value in all caps (ALLOW, DENY, MONITOR). 


API request: 


curl --location --request GET 
"https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/events?eventType= 
BEHAVIOR&filter-action:ALLOW' \ 

--header ‘Authorization: Bearer <token>' 


Sample to get events created within a particular date range 
In this sample we'll get events created between June 30, 2020 and July 1, 2020. 


API request: 


curl --location --request GET 
https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/events?eventType= 
BEHAVIOR&startTime-2020-06-30T08:30:29&endTime-2020-07-01T08:30:29' \ 
--header ‘Authorization: Bearer <token>' 


Samples using filter string as input 
In this sample we'll only get events for the specified container. 


API request: 


curl --location --request GET 
"https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/events?eventType= 
BEHAVIOR&filter-containerSha:dc58cab81c9aledb8cd39d34a8a61942c56dc1d4ad27 
668684be4169d4f0cec5' \ 

--header 'Authorization: Bearer <token>' 
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Events 
Get all events in your account 


In this sample we'll only get events with the ALLOW action for the specified container. 


API request: 


curl --location --request GET 
https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/events?eventType= 


BEHAVIOR&filter=action:ALLOW AND 
containerSha:dc58cab81c9aledb8cd39d34a8a61942c56dc1d4ad27668684be4169a4£0 


cec5' \ 


--header ‘Authorization: Bearer <token>' 
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Policies 
Get all policies in your account 


Policies 

Here is the list of the APIs we currently support for policies: 

API Objective Operator API Path 

Get all policies in your account GET /csapi/v1.3/runtime/policies 

Get details for a specific policy GET /csapi/v1.3/runtime/policies/{policyld} 
Create a new security policy POST /csapi/v1.3/runtime/policies 

Update a security policy PUT /csapi/v1.3/runtime/policies/[policyld] 
Delete a security policy DELETE /csapi/v1.3/runtime/policies/(policyld) 


Samples for various operations on policies: 


Get all policies in your account 
Get details for a specific policy 
Create a new security policy 
Update a security policy 
Delete a security policy 


Get all policies in your account 
/csapi/v1.3/runtime/policies 


GET] 


nput Parameters: 


Parameter Description 

pageNumber The page to be returned. The default value is 1. 

pageSize The number of records per page to be included in the 
response. When not specified, you'll get 50 records. 

filter Specify a string value for a search query to filter the list 


of policies returned in the output. Only name is 
supported in filter query. For example, enter 
filter-name:Default to return policies with "Default" in 
the name. The search is case sensitive. Double quotes 
can be used when your search value contains more than 
one word, such as filter=name:"Test Policy". 


Sample - Get all policies 


API request: 


curl --location --request GET 
'https://gateway.qgl.apps.qualys.com/csapi/vi1.3/runtime/policies' \ 
--header 'Authorization: Bearer <token>' 
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Response: 
[ 


can result in resolution of 


checks 


hy 
{ 


hy 


"ug" 
"name": 
"created": 
"updated": 
"description": 
"policyMode": 


"ig" . 
"name": 
"created": 
"updated": 
"description": 


for the 'Write' 


Policies 
Get all policies in your account 


"5e171bef8530487000151408e", 
"Default Policy", 
"2020-01-09T12:26:23.4962", 
"2020-01-09T12:26:23.4962", 


"Default group policy", 
"ACTIVE" 


"5e171c7385304d70001514091", 

"Prevent tampering to hosts file", 
"2020-01-09T12:28:35.7612", 
"2020-01-09T12:28:35.7612", 


"Modifications to 'hosts' and 'resolve.conf' file 
Domain name to malicious IP. This policy 


ither of the specified files", 


vent on 


"policyMode": 


"ig": 


"ACTIVE" 


"5e81cf5df12860000129938c", 


"name": 
"created": 
"updated": 
"description": 
"policyMode": 


"D ny 


Sample - Filter policies list 


access in etc vll Updating With PUT", 


"2020-05-29T04:54:16.4322", 
"2020-05-29T04:54:16.4322", 


"Deny access in /etc dir for important files", 
"INACTIVE" 


In this sample, we're filtering the list of policies to only show policies with “Deny” in the 


policy name. 


API request: 


curl --location --request GET 
'https://gateway.qgl.apps.qualys.com/csapi/v1.3/runtime/policies?filter-n 
ame:Deny' \ 
--header 'Authorization: Bearer <token>' 
Response: 
[ 
( 

"id": "5e171bef8530d7000151408e", 

"name": "Deny Write Static Website Files", 

"Created": "2020-01-09T12:26:23.4962", 

"updated": "2020-01-09T12:26:23.4962", 

"description": "This sample policy prevents static website files 
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Policies 
Get details for a specific policy 


from being altered", 
"policyMode": "ACTIVE 


}, 
{ 
"id": "5e171c738530d70001514091", 
"name": "Deny cat command access to /etc/passwd file", 
"created": "2020-01-09T12:28:35.7612", 
"updated": "2020-01-09T12:28:35.7612", 


"description": "This sample policy denies access to /etc/passwd file 
from program cat", 
"policyMode": "ACTIVE" 


hy 


Get details for a specific policy 
/csapi/v1.3/runtime/policies/{policyld} 


[GET] 

Input Parameters: 

Parameter Description 

policyld (Required) Specify the ID of a specific policy for which 


you want to get details. 


API request: 


curl --location --request GET 
'https://gateway.qgl.apps.qualys.com/csapi/v1.3/runtime/policies/5eba6fef 
2c79c40001e23488' \ 

--header 'Authorization: Bearer <token>' 


Response: 


( 
"id": "5eba6fef2c79c40001e23488", 
"name": "My CRS Policy", 
"Created": "2020-05-12T09:44:15.3152", 
"updated": "2020-05-12T09:44:15.3152", 


"defaultNetworkAction": "ALLOW", 
"defaultExecuteAction": "ALLOW", 
"defaultFileAction": "ALLOW", 
"rules": [ 


( 
"id": "5fa25442e677eb00012916b7", 
"name": "Static file modification deny", 
"Created": "2020-05-12T09:44:15.3152", 
"updated": "2020-05-12T09:44:15.3152", 
"inactive": false, 
"ruleType": "WRITE", 


26 


"program": 
"action": 
“Pa Bele: 
"port", 


"ipAddress": 


"syscall": 


"xw 
, 


"DENY", 
"/var/www/html/*", 


wee 
, 


woe 
, 


Policies 
Get details for a specific policy 


"Deny Hosts Write Attempt", 


r09:44:15.3152", 
r09:44:15.3152", 


"argl's "m", 

"arg2"; "", 

TargoNMi tw 

"id": "5fa2512de677eb00012916b5", 
"name": 

"created": "2020-05-121 
"updated": "2020-05-121 
"inactive": false, 
"ruleType": "READ", 
"program": "/bin/cat", 
"action": "DENY", 
"file": "/etc/hosts", 


"Dort" 0, 


"ipAddress": 


"syscall": 

"argit T 
Marga: 
"arg3": 


"wn 
, 


"wn 


Tests 
"name": 
"created": 
"updated": 
"inactive": 
"ruleType": 
"program": 


"action" 

Weep Pears woe 
+ ,r 

“pores 22, 


"ipAddress": 


"syscall": 

"argl": ii 
targa. 
"arg3": 


"wn 
, 


"wn 


vid 
"name": 
"created": 
"updated": 
"inactive": 
"ruleType": 
"program": 
"action": 


"file": um 


wie 
, 


wee 
, 


n" 
, 


"0001-01-011 
"0001-01-011 
false, 


"S5fa24e78e677eb00012916b3", 
"Deny Outbound", 


"2020-05-12T09:44:15.3152", 
"2020-05-12T09:44:15.3152", 
false, 
"NETWORK OUTBOUND", 
"kw 
, 
"DENY", 
TT odes 


"5fa25442e677eb00012916bc", 
"Block sshd communication", 


r00:00:002", 
r00:00:002z", 


"NETWORK INBOUND", 


"xw 
, 


"DENY", 
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} 
l; 


"port": 22; 
"ipAddress": 
"syscall": " 
"argl": " "ms 
Marga: 
"arg3": 


we 
, 


"wn 


"ignoredSyscalls": [ 
"policyMode": "ACTIV 
"description": 


"xw 
, 


" 
, 


"sys fork", "sys ch 


pw 
m 


, 


Create a new security policy 


/csapi/v1.3/runtime/policies 


[POST] 


Input Parameters: 


Policies 
Create a new security policy 


root"], 


"Deny access in /etc dir for important files" 


Parameter Description 
name Specify a name for the policy. 
description Provide a description of your policy. 
policyMode (Required) For API v1.3, use policyMode to specify the 
Mode policy mode using a string value. Possible values: 
ACTIVE, INACTIVE, PERMISSIVE. Values are case 
sensitive. 
For API v1.2, use Mode to specify the policy mode using 
the numeric value. Possible values: 
Active: 0 (the default 
Inactive: 1 
Permissive: 2 
defaultNetworkAction (Required) The default action when ruleType is 


NI] 
Possi 
sensi 


ETWORK. OUTBOUNI 


Dor N 
ble values: ALLOW or DI 
tive. 


ETWORK INBOUND. 
ENY. Values are case 


defaultExecuteAction 


(Required) The defau 
SYSCALL. Possible va 


case 


ues: AL 
sensitive. 


t action 


when ruleType is 
LOW or DENY. Values are 


defaultFileAction 


(Required) The defau 


WRITE. Possible values: ALLOW or DI 


case 


sensitive. 


t action when 


ruleType is READ or 
ENY. Values are 


28 


ignoredSyscalls 


Policies 
Create a new security policy 


(Supported only with API v1.3) Define a list of system 
call names to ignore for this policy. No events will be 
created for ignored system calls even if there’s a policy 
rule match. Only valid system call names are allowed. 
Enter a list of values like this: ['sys read", "sys_write"] 


rules 


Policy rules defining controls for this policy specified 
within an array. See Rule Parameters below. 


Rule Parameters 


Specify rules within an array. These rules will define control for the policy. 


Parameter 


Description 


name 


(Required) Specify a name for the rule. 


inactive 


Specify whether the rule is inactive. Specify false (the 
default) if the rule is active. Specify true if the rule is not 


ruleType 


Fa 


Required) Specify the type of rule. Possible values: 
WRITE, NETWORK. OUTBOUND, 
NETWORK. INBOUND, SYSCALL. Values are case 


ipAddress 


Required when ruleType is NETWORK. OUTBOUND or 
NETWORK INBOUND) Specify the IP address this rule 


port 


Optional when ruleType is NETWORK OUTBOUND or 
NETWORK INBOUND) Specify the network protocol that 
this rule applies to. 


program 


Specify the path to program that this rule applies to. 


rat) 


Wildcards are allowed. The default value is "*". 


file 


Required when ruleType is READ or WRITE) Specify the 
path to the file that the rule applies to. 


syscall 


Required when ruleType is SYSCALL) The system call 
provided must be a valid system call name. 


argi 


Required when ruleType is SYSCALL) Variable 
argument. Usage differs depending on rule type. Used 
only in syscall rules. 


arg2 


Optional) Variable argument. Usage differs depending 
on rule type. Used only in syscall rules. 


arg3 


Optional) Variable argument. Usage differs depending 
on rule type. Used only in syscall rules. 


action 


Required) Specify the action that should be taken if this 
rule is matched. Possible values: ALLOW, DENY, 
MONITOR. Values are case sensitive. 


29 


Policies 
Create a new security policy 


created Timestamp for when object was created in the format 
['YYYY'-'MM'-'DD'T'hh':'mm'''ss'.'sss'Z]. 
updated Timestamp for when object was last updated in the 


format ['YYYY'-'MM'-'DD'T'hh':'mm"'ss'.'sss'Z]. 


API request: 


curl --location --request POST 
'https://gateway.qgl.apps.qualys.com/csapi/vi1.3/runtime/policies' \ 


--header ‘Authorization: Bearer <token>' 
--header ‘Content-Type: text/plain' \ 
--data-raw '{ 
"name": "Prevent Shadow Access To User", 
"created": "2020-11-10T08:14:22.5092", 
"updated": "2020-11-10T08:14:22.5092", 
"defaultNetworkAction": "ALLOW", 
"defaultExecuteAction": "ALLOW", 
"defaultFileAction": "ALLOW", 
"rules": [ 
{ 
"id": "5faa4bdeeda7de00015142cO0", 
"name": "Deny access in cat /etc/shadow", 
"created": "0001-01-01T00:00:002", 
"updated": "0001-01-01T00:00:002", 
"inactive": false, 
"ruleType": "SYSCALL", 
"program": "*/cat", 
"action": "DENY", 
"file": "/etc/shadow", 
“pores: 05 
"ipAddress": "", 
"syscall": "sys open", 
"argl": "/etc/shadow", 
Nargi: mi 
Margy "m" 
} 
]:; 
"ignoredSyscalls": [], 
"policyMode": "ACTIVE", 
"description": "Example policy denies 


program cat" 


) Y 


Response: 


Response Code 200 
Response Messag 


tid; 
"name": 
"created": 
"updated": 


"2020-11-1971 
"2020-11-191 


"5fb5e21f5caea20001fd27ce", 
"Prevent Shadow Access To User", 


r03:510:23. 302", 
r03:10:23.362", 
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access to /etc/shadow from 


Policies 


Update a security policy 


"defaultNetworkAction": "ALLOW", 
"defaultExecuteAction": "ALLOW", 
"defaultFileAction": "ALLOW", 
"rules": [ 


{ 


"id": "5faa4bdeeda7de00015142cO0", 


"name": "Deny access in cat /etc/shadow", 
"created": "0001-01-01T00:00:002", 
"updated": "0001-01-01T00:00:002", 
"inactive": false, 

"ruleType": "SYSCALL", 

"program": "*/cat", 

"action": "DENY", 

"file": "/etc/shadow", 

"port's 0; 

"ipAddress": "", 

"syscall": "sys open", 

"argl": "/etc/shadow", 

Marng2 is: Meh, 

Margit Ue 


l; 


"ignoredSyscalls": [] 


"policyMode": "ACTIV. 


"description": "Example policy denies access to /etc/shadow 


program cat" 


} 


- 


Update a security policy 


pw 
n 


, 


, 


/csapi/v1.3/runtime/policies/{policyld} 


[PUT] 


Input Parameters: 


from 


Parameter Description 

policyld (Required) Specify the ID of the policy to update. 

name Specify a name for the policy. 

description Provide a description of your policy. 

policyMode (Required) For API v1.3, use policyMode to specify the 

Mode policy mode using a string value. Possible values: 
ACTIVE, INACTIVE, PERMISSIVE. Values are case 
sensitive. 


For API v1.2, use Mode to specify the policy mode using 


the numeric value. Possible values: 


Active 


: O (the default) 


Inactive: 1 
Permissive: 2 
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Policies 
Update a security policy 


defaultNetworkAction (Required) The default action when ruleType is 
NETWORK_OUTBOUND or NETWORK_INBOUND. 
Possible values: ALLOW or DENY. Values are case 
sensitive. 

defaultExecuteAction (Required) The default action when ruleType is 


SYSCALL. Possible values: AL 


case sensitive. 


LOW or DENY. Values are 


defaultFileAction (Required) The default action when ruleType is READ or 
WRITE. Possible values: ALLOW or DENY. Values are 
case sensitive. 

ignoredSyscalls (Supported only with API v1.3) Define a list of system 
call names to ignore for this policy. No events will be 


created for ignored system calls even if there’s a policy 


ru 


Enter a list of values like this 


e match. Only valid system call names are allowed. 


: ['sys read", "sys write"] 


rules Policy rules defining controls for this policy specified 
within an array. See Rule Parameters in previous 
section. 
API request: 
curl --location --request PUT 


'https://gateway.qgl.apps.qualys.com/csapi/v1.3/runtime/policies/5fb5e21f 


5caea20001fd27ce' \ 


--header 'Authorization: Bearer <token>' 
--header 'Content-Type: text/plain' \ 


--data-raw '{ 


"name": "Updated Policy Prevent Shadow Access To User", 
"created": "2020-11-10T08:14:22.5092", 
"updated": "2020-11-10T08:14:22.5092", 


"defaultNetworkAction": "ALLOW", 
"defaultExecuteAction": "ALLOW", 
"defaultFileAction": "ALLOW", 
"rules": [ 


{ 


"id": "5faa4bdeeda7de00015142cO0", 


"name": "Deny access in cat /etc/shadow", 


"created": "0001-01-01T00:00:00 
"updated": "0001-01-01T00:00:00 
"inactive": false, 

"ruleType": "SYSCALL", 
"program": "*/cat", 

"action"; "DENY", 

"file": "/etc/shadow", 
"port"; 

"ipAddress": "", 

"syscall": "sys open", 

"argl": "/etc/shadow", 

"arg2"; "", 

"arg3Us T 
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" 
a", 

" 
a", 


l; 


"ignoredSyscalls": [], 
"policyMode": "ACTIVE", 


"description": 


program cat" 


} Y 


Response: 


{ 


"id": "5fb5e21f5caea20001fd27ce", 
"name": "Updated Policy Prevent Shadow Access To User", 


"created": "2020-11 
"updated": "2020-11 


-19T03:10:23.362", 
-19T03:13:03.0832", 


"defaultNetworkAction": "ALLOW", 
"defaultExecuteAction": "ALLOW", 
"defaultFileAction": "ALLOW", 
"rules": [ 


{ 


"id": "5faa4bdeeda7de00015142cO0", 


"nam 
"created": "0001-01-01T00:00:002", 
"updated": "0001-01-01T00:00:002", 
"inactive": false, 
"ruleType": "SYSCALL", 
"program": "*/cat", 
"action": "DENY", 
"file": "/etc/shadow", 
"poru"i-0, 
"ipAddress": "", 
"syscall": "sys open", 
"argl": "/etc/shadow", 
"argzwi WM, 
Wargo ee 
} 
]:; 
"ignoredSyscalls": [], 


"policyMode": "ACTIVE", 
"description": "Exam 


program cat" 


) 
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ple policy denies access to 


Policies 
Update a security policy 


"Example policy denies access to /etc/shadow from 


": "Deny access in cat /etc/shadow", 


/etc/shadow from 


Policies 
Delete a security policy 


Delete a security policy 
/csapi/v1.3/runtime/policies/[policyld] 
DELETE] 


Note that you can only delete a policy that is not currently associated with any 
instrumented images/containers. 


nput Parameters: 


Parameter Description 


policyld (Required) Specify the ID of the policy to delete. 


API request: 


curl -X DELETE --header 'Accept: text/plain' --header 'Authorization: 
Basic VVNFUKkSBTUUGUEFTUIdPUkQ-' 
"https://gateway.qgl.apps.qualys.com/csapi/vl.3/runtime/policies/5fa97660 
£19b060001le8ab6f' 


Response: 


response code 200 
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